(12) INTERNATIONAL APPLICATION PUBLISHED UNDER THE PATENT C00PER4TI0N TREATY (PCT) 



(19) World Intellectual Property Organization 

International Bureau 




(43) International Publication Date (10) International Publication Number 

23 August 2001 (23.08.2001) PCT WO 01/61437 A2 



(51) International Patent Classification^; G06F 1/00 

(21) Tnternatlonal Application Number: PCTArSOI/04424 

(22) Tnternatlonal Filing Date: 12 February 2001 (12.02.2001) 

(25) Filing Language: English 

(26) Publication Language: English 

(30) Priority Data: 

09/505,890 17 February 2000 (17.02.2000) US 

(71) Applicant: GENERAL INSTRUMENT CORPORA- 
TION [USAJvS]; 101 Tournament Drive, Horsham, PA 
19044 (US). 

(72) Inventors: GOFFIN, Gleu; 351 Dublin Pike, Foun- 
tainville, PA 18923 (US). BOOTH, Robert; 1700 
Rockcrcss Drive, .Tamison, PA 18929 (IK). 



(74) Agent: KANANEN, Rouald; Radcr Fishman & Graucr 
PLLC, 1233 20th Street, NW, Suite 501, Washington, DC 
20036 (US). 

(81) Designated States (national): AE, AG, AL, AM, AT, AU, 
AZ, BA, BB, BG, BR, BY, BZ, CA, CH, CN, CR, CU, CZ, 
DE, DK, DM, DZ, EE, ES, H, GB, GD, GE, GH, GM, HR, 
HU, ID, XL, IN, IS, JP, KE, KG, KP, KR, KZ, LC, LK, LR, 
LS, LT, LU, LV, MA, MD, MG, MK, MN, MW, MX, MZ, 
NO, NZ, PL, PT, RO, RU, SD, SE, SG, SI, SK, SL, TJ, TM, 
TR, 'IT, TZ, UA, UG, UZ, VN, YU, ZA, ZW. 

(84) Designated States (regional): ARIPO patent (GH, GM, 
KE, US, MW, MZ, SD, SL, SZ, TZ, UG, ZW), Eurasian 
patent (AM, AZ, BY, KG, KZ, MD, RU, TJ, TM), European 
patent (AT, BE, CH, CY, DE, DK, ES, H, FR, GB, OR, IE, 
rr, LU, MC, NL, PT, SB, TR). OAPI patent (BF, BJ, CF, 
CG, CI, CM, GA, ON, GW, ML, MR, NB, SN, TD, TO). 

Published: 

— without international search report and to be republished 
upon receipt of that report 



[Continued on next page] 



= (54) Title: METHOD AND APPARATUS FOR PROVIDING SECURE CONTROL OF SOFTWARE OR FIRMWARE CODE 
s DOWNLOADING AND SECURE OPERATION OF A COMPUTING DEVICE RECEIVING DOWNLOADED CODE 



9 

— ■■ ■ — 

^ (57) Abstract; A method and system for secure downloading of software includes a master processor for receiving downloaded 
^ blocks of code which are associated with a computed authentication signature derived bom the content of the code block. A secure 
processor re-computes the autlientication signature fiomt he content of the downloaded code block and compares the computed 
^ signature to that received with the code block. If the signatures do not match or if no signature is appended to the downloaded data, 
^ the secure proce.ssor determines that the code is from an authorized sender or has been alteiBd during transmission, perhaps to include 
^ a virus. The secure processor then lakes appropriate protective action. 
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TITLE OF THE INVENTION 

Method and Apparatus for Providing Secure 
Control of Software or Pinnware Code Dovmloading and 
Secure Operation of a Computing Device Receiving 
5 Dovniloaded Code. 

FIELD OF THE INVENTION 

The present invention relates to the field of 
transmitting software or firmware programming code 

10 to a recipient computing device, such as a set-top 
terminal. The present invention also relates to the 
field of controlling the downloading of such code to 
the computing device in a secure manner such that no 
virus or alteration in the code is permitted, and 

15 such tha.t the code is not freely transferable to 
other computing devices. The present invention 
further relates to the field of secure operation of 
a computing device that executes downloaded program 
code so as to prevent that computing device from 

20 being used to gain oxnauthorized access to services. 
The present invention further relates to the field 
of secure operation of the computing device so as to 
prevent the execution of a virus or other code that 
may impair the computing device or cause it to 

25 function in an unauthorized manner. 

BACKGROUND OF THE INVENTION 

Communication in modern society has been 
greatly enhanced by the advent of such widespread 

30 data networks as public telephone systems, the world 
wide web, and cable and satellite television 
systems. Particularly with the world wide web and 
other computer networks, messages and even 
executable software can be readily transmitted to 

35 remote locations. The electronic transmission of 
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software can be used to commercially distribute such 
software or to upgrade the existing software of 
purchasers or data terminals connected to a network. 
While such ready access to software and other 
5 information is extremely valuable and advantageous, 
security concerns are also raised. A pervasive 
problem with computing networks, principally the 
internet, is the spread of computer viruses that 
destroy data or impair the operation of computerized 

10 systems. 

An additional problem is the tmauthorized 
sharing or copying of software. Such copying can be 
extremely expensive to the owner of the copyright in 
the software who likely spent significant resources 

15 to create the software. 

These concerns are also raised in the context 
of cable television systems. In cable television 
systems, a set -top terminal or box is typically 
provided by the cable television company to its 

20 subscribers. The set -top terminal is connected, for 
example, between a cable system outlet and the 
subscriber's television set or computer. The set- 
top terminal then receives the cable television 
signal from the headend facility of the cable system 

25 operator. 

The set -top terminal may perform any of a 
variety of functions. For example, the set-top 
terminal may control the subscriber's access to 
particular channels on the cable network. If the 

30 subscriber has not subscribed to "premium" channels, 
the set-top terminal may restrict the subscriber's 
access to those channels. Alternatively, the set-top 
terminal may enable access to those premium channels 
to which the customer has subscribed. 
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Additionally, there is a current trend to 
combine the various data networks available so that 
each household or office has a single connection to 
the information superhighway. An example of this 
5 trend is the developing ability of cable television 
networks to also provide internet access. In such 
systems, the set-top terminal may be an enhanced 
terminal with a modem that provides a connection to 
the internet as well as to the cable television 

IQ signals. The set-top terminal may operate with the 
associated television set to provide web browsing 
capability or may be connected to other computer 
equipment . 

The set-top terminal typically includes 

15 software or .firmware executed by a central processor 
of the set -top terminal that enables the terminal to 
perform the various functions it is called upon to 
perform. There are at least four principal concerns 
with regard to the software or firmware in a set -top 

20 terminal. 

First, it is necessary to prevent a user from 
altering the software or firmware in the set-top box 
so as to allow unauthorized access to services 
available over the cable network for which that user 

25 has not paid. The commercial viability of the cable 
system operator may depend on being able to prevent 
unauthorized and unpaid access to system services . 
Such services may include virtually any electronic 
data service, for example, a range of television 

30 channels, premium channels, pay-per-view 

programming, video -on- demand programming, internet 
access, electronic mail, telephony, etc. 

A related concern is the problem that 
unauthorized attempts to so modify the software or 

35 firmware in a set -top terminal may damage the 



wo 01/61437 



PCT/USOl/04424 



terminal or cause it to fail. This may be of 
particular concern to the cable system operator if 
ownership of the box is retained, by the system 
operator as is often the case. Additionally, damage 
5 may be done to the reputation of the set -top box 
manufacturer, particularly if the cause of the 
failure of the set-top box, i.e., illicit 
modification to the set-top box, is successfully 
concealed. 

10 The unauthorized modification of the software 

or firmware of a set -top terminal may also adversely 
effect the cable system itself. This adverse effect 
may even extend to causing part or all of the cable 
system to fail. Such a result may be intentional or 

15 unintentional. In either event, the operator of the 
cable system may be significantly injured by both 
damage to the cable system and customer 
dissatisfaction. 

Second, the software or firmware in the set-top 

20 terminal should be protected from the intentional 
and malicious introduction of a computer virus that 
will impair the function of the set-top terminal. 
This is particularly true where the set-top terminal 
is being used to connect to the internet. 

25 Third, the software or firmware in the set -top 

terminal may need to be periodically upgraded or 
modified as the cable system evolves or as the 
subscriber requests additional services or the 
removal of services no longer desired. A preferred 

30 means of making such modifications to the set-top 
terminal is to download the upgraded or modified 
software or firmware over the cable network itself. 
This eliminates the need for a technician to visit 
the location of the set-top terminal. However, it 

35 then becomes necessary to provide some security when 
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the new software of firmware is downloaded so that 
it is not altered when received and stored in the 
set-top terminal . 

Fourth, the software or firmware in a set-top 
5 terminal is generally proprietary in nature and may 
represent a significant investment. Therefore, the 
software or firmware in a set -top box should be 
protected from unauthorized copying, e.g., for use 
in another set-top terminal. 

10 Therefore, there is a need in the art for a 

method and system of securing the downloading of 
software or firmware, particularly to a set-top 
terminal in a cable television system, so as to 
ensure that the software or firmware is transmitted 

15 as authorized without alteration or the introduction 
of a virus. There is a further need in the art for 
a method and system of preventing modification of 
the software or firmware stored in and executed by 
the terminal so as to gain unauthorized access to 

20 services. There is a further need in the art for a 
method and system of preventing illicit copying of 
software or firmware, particularly from a set-top 
terminal, for some unauthorized use. 

25 SUMMARY OF THE INVENTION 

It is an object of the present invention to 
meet the above-described needs and others. 
Specifically, it is an object of the present 
invention to provide a method and system for 

30 securing the downloading of software or firmware, 
particularly to a set-top terminal in a cable 
television system, so as to prevent unauthorized 
alterations of, or the introduction of a computer 
virus to, the software or firmware during 

35 transmission. It is a further object of the present 
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invention to provide a method and system for 
preventing the unauthorized duplication of software 
or firmware, particularly in a set-top terminal of a 
cable television system. 
5 Additional objects, advantages and novel 

features of the invention will be set forth in the 
description which follows or may be learned by those 
skilled in the art through reading these materials 
or practicing the invention. The objects and 

10 advantages of the invention may be achieved through 
the means recited in the attached claims . 

To achieve these stated and other objects, the 
present invention may be described as a system for 
secure transmission of programming code to a 

15 computing device. In a principal embodiment, the 
system of the present invention includes: a master 
processor connected to an input data line for 
receiving blocks of programming code, each of which 
is associated with an authentication signature 

20 derived from the content of the block of code; a 
memory xinit for storing the blocks of programming 
code; and a secure processor for independently 
computing an authentication signature for each block 
of programming code and matching the computed 

25 authentication signature against the authentication 
signature transmitted with that block of code. If 
the computed authentication signature fails to match 
the transmitted authentication signature, the secure 
processor takes appropriate action, such as purging 

30 the unauthenticated block of code from memory or 
disabling the computing device. 

A second, isolated memory unit connected to the 
secure processor may be provided for storing data 
needed by the secure processor to compute 

35 authentication signatures. The secure processor may 
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continually re -authenticate the blocks of 
programming code stored in the memory unit to ensure 
their continued legitimacy. 

The master processor, memory unit and secure 
5 processor are all interconnected by a memory bus . 
To avoid conflicts between the master and secure 
processors, the secure processor preferably accesses 
the memory unit only during bus cycles in which the 
master processor is not using the memory bus. A 

10 memory bus controller is provided to police this 

arrangement and control access to the memory bus by 
the main and secure processors. 

Preferably, the memory unit comprises an 
interim memory and a static memory. The master 

15 processor writes the downloaded blocks of code to 
the interim memory initially. After the secure 
processor has authenticated the blocks of code, the 
blocks of code are transferred to the static memory. 
In a preferred embodiment, the computing device 

20 is a set-top terminal incorporating the master 

processor, memory unit and secure processor. The 
input data line is a connection to a cable 
television system. 

In such an embodiment, an entitlement management 
25 message may be associated with the blocks of 

programming code. The secure processor will then 
prevent further storage, use or execution of the 
blocks of programming code unless the entitlement 
management message matches a predetermined 
30 entitlement management message stored by the secure 
processor. This allows selective set-top terminals 
to be reprogrammed by a broadcast of new programming 
code to all the set-top terminals in the system 
indiscriminately. 
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As an additional security measure, the blocks 
of code may be encrypted when received by the master 
processor. The secure processor would preferably 
then include a decrypter, for example executable 
5 decryption software, for decrypting the encrypted 
blocks of code. 

The present invention also encompasses a method 
for making secure transmission of programming code 
to a computing device and, more importantly, for 

10 monitoring and insuring the continued integrity of 
programming code already stored in the computing 
device. Using the principles inherent in the system 
described above, the method includes the principal 
steps of computing an authentication signature for 

15 each of one or more of blocks of programming code 
received or stored in a memory unit with an 
algorithm, the authentication signature being 
computed based on the numeric content of that block 
of programming code; and comparing the computed 

2 0 authentication signature to a transmitted 

authentication signature transmitted or stored in 
association with that block of programming, the 
transmitted authentication signature having been 
generated with the same algorithm. 

25 The present invention also encompasses a second 

system for secure transmission of programming code 
to a computing device. This second system includes: 
a master processor connected to an input data line 
for receiving blocks of programming code, each of 

30 which is associated with an authentication signature 
derived from the content of the block of code; a 
memory unit for storing the blocks of programming 
code; and a background software task running on the 
master processor for independently computing an 

35 authentication signature for each block of 



wo 01/61437 



PCT/USOl/04424 



programming code using the same method as the 
legitimate sender and matching the computed 
authentication signature against the authentication 
signature transmitted with that block of code. As 
5 before, if the computed authentication signature 
fails to match the transmitted authentication 
signature, the background software task may disable 
the computing device. 

If the memory unit comprises an interim memory 

10 and a static memory, the blocks of code may be 

transferred to the static memory when the background 
software task has authenticated those blocks of 
code. If an entitlement management message is 
associated with the block of programming code, the 

15 background software task may prevent further use, 
storage or execution of the blocks of programming 
code tinless the entitlement management message 
matches a predetermined entitlement management 
message stored in the computing device. 

20 

BRIEF DESCRIPTION OF THE DRAWINGS 

The accompanying drawings illustrate the 

present invention and are a part of the 

specification. Together with the following 
25 description, the drawings demonstrate and explain 

the principles of the present invention. 

Fig. 1 is a first embodiment of a computing 

device, such as a set-top terminal of a cable 

television system, according to the present 
30 invention. 

Fig. 2 is a second embodiment of a computing 

device according to the present invention. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 
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Using the drawings, the preferred embodiments 
of the present invention will now be explained. 

Fig. 1 illustrates a computing device (100) 
according to the present invention. The computing 
5 device (10 0) may be any device which downloads 
software or firmware from a remote source over a 
data line (106) and stores the same for later 
execution. In a preferred embodiment, the computing 
device (100) is a set -top terminal in a cable 

10 television system, and the data line (106) is an 
external connection to the cable signal provider. 
Alternatively, however, the data line (106) could be 
connected to any external port of the computer 
device or could be an internal data line of the 

15 computing device (100) over which someone may 
introduce programming code to the device (100) , 
particularly to the master processor (101) . As used 
herein, programming "code" includes, but is not 
limited to, bootcode, BIOS (basic input /output 

20 sofware) code, operating system software or 
firmware, device driver software or firmware, 
network protocol software or firmware, application 
software (e.g., web browsers, electronic program 
guides, e-mail, chat, etc.), web pages and graphics 

25 images . 

Under the principles of the present invention, 
the computing device (100) includes two distinct 
processors. The first is a master processor (101) 
which may be, for example, a central processing 

30 unit. The master processor (101) is the processor 
which executes object code to perform the functions 
of the computing device (100) . The second processor 
is a secure processor (102) that is used to 
authenticate code downloaded over the data line 

35 (106) so as to prevent the introduction of a virus 
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or code which has been altered during transmission, 
or an unauthorized code object. The secure 
processor (102) also may continually re -authenticate 
code previously received and stored in a memory unit 
5 (103) to prevent unauthorized tampering with or 
additions to the executable code and data resident 
in the set-top terminal (100) . 

Under the principles of the present invention, 
when software or firmware is to be downloaded to the 

10 computing device (100), the legitimate sender will 
break the code being sent into blocks or packets. 
The content of each block or packet of code data is 
then used to compute an authentication signature 
using an algorithm which may require oiie or more 

15 keys as will be understood by those skilled in the 
art. 

The data blocks are then transmitted, in 
association with the computed authentication 
signature, to the master processor (101) over the 

20 external data line (106) . The master processor 

(101) using a memory bus (104) writes the downloaded 
code to a memory unit (103) . The memory unit (103) 
may be any form on non-volatile, long-term 
electronic data storage device including, for 

25 example, an electronic memory device, a magnetic 
hard drive or an optical or magento- optical disc 
drive . 

The memory unit (103.) is divided into memory 
blocks (Block 1 to Block N) . These memory blocks 
30 may correspond to physical sections of the memory 
unit (103) in which data can be stored. The memory 
blocks may also preferably correspond to the blocks 
or packets of data into which the software or 
firmware is partitioned during the downloading. 
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The secure processor (102) has a connection 
(105) to the memory bus (104) and thence to the 
memory unit (103) . After the software or firmware 
has been downloaded into the memory unit (103), the 
5 secure processor (102) will then access each memory 
block. The secure processor (102) is programmed to 
duplicate the algorithm used by the legitimate code 
sender to generate the authentication signature of 
each block of code. 

10 Consequently, the secure processor (102) can 

authenticate the code received by the master 
processor (101) and stored in the memory unit (103) . 

As an alternative, the code blocks may be initially 
received by the secure processor (102) rather than 

15 the master processor (101) . In such a scenario, the 
secure processor (102) authenticates the code blocks 
before storing them in the memory (103) . An 
separate interim memory unit or a specified section 
of the memory unit (103) may be used to store code 

20 blocks being authenticated by the secure processor 

(102) before those code blocks are cleared for 
storage in the long-term memory of the memory unit 

(103) . 

The authentication process will be now 
25 described in more detail. The secure processor 
(102), using the code in each memory block as an 
input, re-computes the authentication signature 
based on the numeric content of the code block and 
any keys used by the legitimate sender. The 
30 authentication signature computed by the secure 
processor (102) is then compared by. the secure 
processor (10 2) to the authentication signature 
transmitted in association with that block of code. 
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If the signatures match, the code in that 
memory block is authenticated as having been 
transmitted by an authorized sender without 
alteration and without the introduction of a 
5 dangerous virus. If, on the other hand, the 

authentication signatures do not match, or the data 
block does not include an authentication signature 
at all, the secure processor (102) determines that 
the code has been altered, perhaps to include a 

10 virus, during transmission of has been sent by an 
unauthorized sender who has no authority to 
reprogram the computing device (100). The secure 
processor (102) can then erase or disable the 
adulterated memory block or blocks. 

15 Alternatively, the secure processor (102) can 

disable the entire computing ■ device (100) requiring 
the intervention of a technician or a signal from 
the system operator to re-initialize the device 
(100) . This may assist the service provider to 

20 identify individuals who have attempted unauthorized 
alterations to the software or firmware in the 
computing device (100). Such a feature is 
particularly of interest if the computing device 
(100) is a set-top terminal of a cable television 

25 system as in the preferred embodiment. 

The secure processor (102) may be hard-wired or 
firm-wired to compute the authentication signatures 
of the data blocks. For more flexibility, the 
secure processor (102) may operate by executing 

30 instructions in an internal memory device or an 
external memory unit (110) . 

Because the response to unauthorized or 
adulterated programming originates from the 
relatively isolated secure processor (102) rather 

35 than the main processor (101) , it is inherently more 
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difficult to anticipate and defeat. Thus, the 
system of the present invention which comprises two 
distinct processors is inherently more secure than 
previous systems . 
5 In addition to authenticating blocks of code 

newly received in the computing device (100) , the 
secure processor (102) will also preferably make a 
periodic sweep of the code blocks in the memory unit 
(103) to re-authenticate those code blocks thereby 

10 insuring that the code in the memory unit (103) has 
not be altered or modified by an unauthorized party. 

It is as important to protect the continued 
integrity of executable programming code already 
stored in the memory unit (103) as to guard against 

15 the introduction of new, tmauthorized or adulterated 
code . 

The^operatron— of-the-secure-proeessor-can— be 

kept from interfering with or slowing the operation 
of the computing device (100) by requiring the 
20 secure processor (102) to access the memory blocks 
of the memory unit (103) during "stolen" bus cycles. 

This means that the secure processor (102) is only 
allowed to access the memory unit (103) during bus 
cycles for which the master processor (101) is 
25 occupied with internal processing and is not 
accessing the memory bus (104). 

For this purpose, a memory bus controller (109) 
is preferably provided. The memory bus controller 
(109) regulates the access to the bus of the two 
30 processors (101) and (102) . The memory bus 

controller (109) may also monitor activity on the 
bus (104) directly. Preferably, the memory bus 
controller (109) responds to the master processor 
(101) so that when the master processor (101) is not 
35 using the memory bus (104) , the memory bus 



wo 01/61437 



PCT/USOl/04424 



controller (109) grants access to the memory bus 
(104) to the secure processor (102) . 

With the secure processor (102) stealing bus 
cycles, the secure processor (102) can be used to 
5 constantly authenticate and re -authenticate the code 
blocks in the memory unit (103) to prevent 
tampering. No loss of speed or inference with the 
operation of the main processor (101) results. 
As an added security measure, the secure 

10 processor (102) can also be programmed to monitor 
the number of bus cycles it receives in any 
specified period of time. If the number of bus 
cycles made available to the secure processor (102) 
falls below a predetermined threshold, the secure 

15 processor (102) can be programmed to assume that the 
set -top box has been tampered with. The secure 
processor (102) can then initiate an appropriate 
response such as shutting down the operation of the 
set -top box and/ or signaling the system operator to 

20 advise of the problem and request a service call by 
an authorized technician. 

The present invention can also be used to 
prevent the unauthorized copying of code in the 
computing device (100) for use in another computing 

25 device. If the second computing device to which the 
code is being copied includes a secure processor 
(102), that processor (102) will be unable to 
authenticate the illicitly copied code without the 
algorithm and/or keys held by the original secure 

30 processor. 

Alternatively, if the second computing device • 
to which the code is copied does not authenticate 
code blocks, the authentication signature embedded 
in the code can be used, as will be clear to those 

35 skilled in the art, to disrupt normal execution of 
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the code by a computer not programmed to recognize, 
extract and make use of the authentication 

signature. 

For additional security, the code being 
5 downloaded over the data line (106) may be 

encrypted. The secure processor (102) could then 
also be used to decrypt the code, block by block, in 
the memory unit (103) . Such encryption will further 
prevent the unauthorized copying of the code for use 

10 elsewhere. 

In the application of the present invention to 
a set -top terminal in a cable television system, the 
problem may arise in which the set -top terminals of 
some subscribers who are receiving premium services 

15 need to receive upgraded software, while other 

subscribers receiving other or lesser services need 
no programming modification. The present invention 
can be used to address this problem by appending an 
entitlement management message to the code blocks 

2 0 being transmitted. The entitlement management 
message may be appended to or embedded in the 
authentication signature or may be an entirely 
separate string. 

The entitlement management message will 

25 indicate which class of set-top terminals are to 
accept and implement the downloading code . The 
secure processor (102) can then compare the 
entitlement management message in the downloading 
code with a complementary message specific to the 

30 terminal (100) in which the secure processor resides 
(102) . The complementary entitlement management 
message may be stored in memory unit (110) . 

If the complementary entitlement management 
message of the secure processor (102) matches that 

35 associated with the downloading code, then the 
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secure processor (102) will proceed to authenticate 
and allow the further storage, use or execution of 
the downloaded code. In this way, code can be 
broadcast over the cable network (106) to all the 
5 set -top terminals in the system with only a selected 
set of set -top terminals accepting and implementing 
the new code. 

The secure processor (102) can also play a role 
in securing the integrity of the programming code 
10 stored in the memory unit (103) as that code is 

executed. For example, before the master processor 

(101) can execute stored programming code, the code 
is transferred from long-term memory, e.g. FLASH 
memory, to RAM (random access memory) . The secure 

15 processor (102) can be used to transfer the code 

from long-term memory to RAM and can re -authenticate 
each block of code incident to that transfer. 

Fig. 2 illustrates a second embodiment of the 
present invention. The principle behind this 

20 embodiment is that a second memory unit for storing 
downloaded code is provided. With two memory units 
storing code, one is used as a temporary or interim 
storage area where downloaded data is written and 
stored initially until it is authenticated by the 

25 secure processor (102) . After the secure processor 

(102) has authenticated the downloaded code, the 
code is transferred from the temporary storage area 
to long-term, static storage from whence it is 
accessed and executed by the master processor (101) 

30 as needed. 

As shown in Fig. 2, a secondary memory vuiit 
(200) is connected (201) to the memory bus (104). 
The secondary memory unit (200) may be a hard drive 
or some other memory device and may even be external 

35 to the computing device (100) . Either memory unit 



wo 01/61437 



PCT/USOl/04424 



(200) or (103) may be used as the temporary storage, 
and either may be used as the long-term storage 
depending on the particular application. 

An alternative approach to the present 
5 invention without employing two separate processors 
is to have a secure software or firmware task 
running on the main processor (101) as a 
"backgroixnd" task. Such a secure task could perform 
all the fxinctions described above for the secure 

10 processor (102) , including (a) continual sweeping of 
the protected memory to validate authentication 
signatures, (b) disabling the computing device 
functions after a failure to properly authenticate a 
memory block, (c) checking for proper entitlements 

15 as part of background authentication process thus 
enabling access control of applications, (d) 
authentication and entitlement validation at the 
time downloaded code is received, and (e) possible 
address resolution and linking of the downloaded 

2 0 code. 

If the secure task can be carefully design to 
resist being hacked into or cracked, then the use of 
a background secure task provides a simple way to 
obtain many of the advantages of the present 
25 invention without requiring the replacement of 

existing computing devices to provide devices having 
the two processor system (101 and 102) described 
above , 

The background task can also be backed up by a 
30 "watchdog" task that would timeout if not regularly 
prompted by the background task. In this way, if 
the background task is somehow defeated and 
deactivated, the watchdog task will no longer be 
prompted and can then take appropriate action such 
35 as deactivating the set-top terminal and/ or 
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signaling the system operator via the headend 
facility. Additionally, the prompting between the 
background and watchdog tasks can use a secure 
handshake that would be very difficult to 
5 counterfeit . 

The preceding description has been presented 
only to illustrate and describe the invention. It 
ie not intended to be exhaustive or to limit the 
invention to any precise form disclosed. Many 

10 modifications and variations are possible in light 
of the above teaching. 

The preferred embodiment was chosen and 
described in order to best explain the principles of 
the invention and its practical application. The 

15 preceding description is intended to enable others 
skilled in the art to best utilize the invention in 
various embodiments and with various modifications 
as are suited to the particular use contemplated. 
It is intended that the scope of the invention be 

2 0 defined by the following claims. 
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WHAT IS CLAIMED IS; 

1. A system for secure transmission of 
5 programming code to a computing device* the system 
comprising: 

a data line for receiving blocks of programming 

code; 

a master processor for executing blocks of 
10 programming code, each of which is associated with 
an authentication signature derived from a content 
of said block of code; 

a memory vnit for storing said blocks of 
programming code for use by said mater processor; 
15 and 

a secure processor for independently computing 
an authentication signature for each said block of 
programming code and matching said computed 
authentication signature against said authentication 
20 signature transmitted or stored in association with 
that block of code. 



2. The system of claim 1, wherein if said 
computed authentication signature fails to match 
25 said transmitted authentication signature, said 
secure processor disables said computing device. 



3. The system of claim 1, wherein if said 
computed authentication signature fails to match 
30 said transmitted authentication signature, said 
secure processor resets said computing device. 



4. The system of claim 1, wherein if said 
computed authentication signature fails to match 
35 said transmitted authentication signature, said 
20 
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secure processor signals for an authorized service 
call for said computing device. 

5. The system of claim 1, wherein said master 
5 processor, memory unit and secure processor are 

interconnected by a memory bus, and said secure 
processor accesses said memory unit only during bus 
cycles in which said master processor is not using 
said memory bus. 

10 

6. The system of claim 5, further comprising 
a memory bus controller for controlling access to 
said memory bus by said main and secure processors. 

15 7. The system of claim 1, wherein: 

said memory unit comprises an interim memory 
and a static memory; 

new blocks of code received over said data line 
are written to said interim memory unit; and 
20 after said secure processor has authenticated 

said blocks of code, the blocks of code are 
transferred to said static memory. 

8. The system of claim I, further comprising 
25 an entitlement management message associated with 

said blocks of programming code, wherein said secure 
processor will prevent further storage, use or 
execution of said blocks of programming code unless 
said entitlement management message matches a 
30 predetermined entitlement management message stored 
by said secure processor. 
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9. The system of claim 1, wherein: 

said computing device is a set -top terminal 
incorporating said master processor, memory unit and 
secure processor; and 
5 said input data line is a connection to a cable 

television system. 

10. The system of claim 1, further comprising 
a second, isolated memory unit connected to said 

10 secure processor. 

11. The system of claim 1, wherein said secure 
processor periodically re -authenticates said blocks 
of programming code stored in said memory unit. 

12. The system of claim 1, wherein said blocks 
of code are encrypted when received by said master 

processor, said secure processor further comprising 
a decrypter for decrypting said encrypted blocks- of 
code . 



13 . A method for making secure transmission of 
programming code to a computing device, the method 

comprising: 

25 computing an authentication signature for each 

of one or more of blocks of programming code newly 
received or stored in a memory unit with an 
algorithm, said authentication signature being 
computed based on a numeric content of that block of 

30 programming code; and 

comparing said computed authentication 
signature to an authentication signature transmitted 
or stored in association with that block of 
programming code, said transmitted authentication 

35 signature having been generated with said algorithm. 
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14. The method of claim 13, wherein if said 
computed authentication signature fails to match 
said transmitted authentication signature, said 

5 method comprises disabling said computing device. 

15. The method of claim 13,. wherein said 
computing and comparing are performed with a secure 
processor which is separate from a master processor 

10 for executing said blocks of code. 



16, The method of claim 15, further comprising 
accessing said blocks of code in said memory unit 
with a memory bus for authentication by said secure 

15 processor only during bus cycles in which said 
master processor is not using said memory bus. 

17. The method of claim 13,, further comprising 
transferring said blocks of code from an interim 

2 0 memory of said memory unit to a static memory of 

said memory unit after said computed authentication 
signature has matched said transmitted 
authentication signature. 

25 18. The method of claim 13, further 

comprising: 

receiving an entitlement management message 
associated with said blocks of programming code; 
storing and executing said blocks of 
30 programming code only if said entitlement management 
message matches a predetermined entitlement 
management message stored in said computing device. 



35 



19. The method of claim 13, further comprising 
repeatedly performing said computing and comparing 
23 
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to re -authenticate said blocks of programming stored 
in said memory unit. 

20. The method of claim 13, further comprising 
5 decrypting said blocks of programming code which are 
received in an encrypted form. 



21. A system for secure transmission of 
programming code to a computing means, the system 

10 comprising: 

a master processing- means connected to an input 
data line for receiving blocks of programming code, 
each of which is associated with an authentication 
signature derived from a content of that block of 

15 code; 

a memory means for storing said blocks of 
programming code; and 

a secure processing means for independently 
computing an authentication signature for each said 
20 block of programming code and matching said computed 
authentication signature against said authentication 
signature transmitted with that block of code. 

22. A system for secure transmission of 

25 programming code to a computing device, the system 
comprising: 

a master processor connected to an input data 
line for receiving blocks of programming code, each 
of which is associated with an authentication 
30 signature derived from a content of said block of 

code ; 

a memory unit for storing said blocks of 
programming code; and 

a background software task running on said 
35 master processor for independently computing an 
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authentication signature for each said block of 
programming code and matching said computed 
authentication signature against said authentication 
signature transmitted with that block of code . 

23. The system of claim 22, wherein if said 
computed authentication signature fails to match 
said transmitted authentication signature, said 
background software task disables said computing 



24. The system of claim 22, wherein if said 
computed authentication signature fails to match 
said transmitted authentication signature, said 

15 background software task resets said computing 

device . 

25. The system of claim 22, wherein if said 
computed authentication signature fails to match 

20 said transmitted authentication signature, said 

background software task signals a service call for 
said computing device. 



26. The system of claim 22, wherein: 
25 said memory unit comprises an interim memory 

and a static memory; 

said master processor writes said downloaded 
blocks of code to said interim memory unit; and 
after said background software task has 
30 authenticated said blocks of code, the blocks of 
code are transferred to said static memory. 



27. The system of claim 22, further comprising 
an entitlement management message associated with 
35 each said block of programming code, wherein said 
25 
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background software task will prevent further 
storage, use or execution of said blocks of 
programming code unless said entitlement management 
message matches a predetermined entitlement 
5 management message stored in said computing device. 

28. The system of claim 22, wherein: 

said computing device is a set -top terminal 

incorporating said master processor and said memory 
10 unit; and 

said input data line is a connection to a cable 

television system. 
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